Bowater Incorporated has just sent you a refund

Dear Customer,
Bowater Incorporated has just sent you a full refund of £7849.90 GBP for your purchase.
If you have any questions about this refund, please contact Bowater Incorporated
The refund will go to your PayPal account. It may take a few moments for this transaction to appear in your account.
To see all the transaction details, please download and view from the link below.https://www.paypal.com/uk/cgi-bin/webscr?cmd=view-a-trans&id=47E30904DC4145388

Please do not reply to this email because we are not monitoring this
inbox. To get in touch with us, log in to your account and click
"Contact Us" at the bottom of any page.
Copyright Š 1999-2015 PayPal. All rights reserved.

The link in the email goes to a download location at sharefile.com which leads to a file transaction details.zip containing a malicious executable transaction details.scr.

This binary has a VirusTotal detection rate of just 1/55. The Hybrid Analysis report shows network traffic consistent with Upatre download the Dyre banking trojan. One key IP address in 197.149.90.166 (Cobranet, Nigeria) which is well worth blocking.

Thursday, 30 April 2015

I was tipped off to this site by a contact, but it appears that there are some particularly dispicable scammers who have registered a fake website called savenepal.org which is soliciting donations via PayPal.

The site largely cloned from the legitimateActionAid site which is genuinely seeking donations to go to Nepal.

ActionAid is "Registered charity no 274467" (it says so on the bottom of the page). SaveNepal.org claims to be "Registered charity no 276187", but we can check at the UK charities commission and we can see that the charity with this number is actually an orchestra.

Clicking "Donate" on the scam site leads to PayPal. It doesn't give much of a clue about the ownership of the fake site:

The WHOIS details for the domain are hidden using WhoIsGuard. These other sites appear to be live on the same server:

Of course, these contact details could also be false and there's no definite connection to savenepal.org yet. But out of curiosity, who is helpot80@gmail.com? Googling doesn't reveal much, but it does show a copy of a conversation in the news.admin.net-abuse.email where someone who is claiming to use this email address is complaining about spam. If we then use Google Groups to find the original newsgroup post we see it was posted from an IP of 182.68.85.242 which is a dynamic Bharti Airtel IP in India, which does at least match the country in the WHOIS details.

Another Google result is this Phishtank entry listing social2013.com/rockgrade/ which appears to be a copy of the Rock Grade Management scam site I covered way back in 2011, indicating that perhaps these two scams are related. helpot80@gmail.com was listed as the owner of social2013.com before it expired in February 2015.

The email address also links to this Google+ profile naming them as "N. Al.". It also links to this YouTube channel with a single video about Payoneer. These Profiles indicate that helpot80@gmail.com has an interest in affiliate marketing, an activity with a mixed reputation.

I cannot prove that helpot80@gmail.com is connected with the savenepal.org, but they probably know whoever is behind it.

Remember, if you want to donate to ANY disaster charity, it is worth checking very carefully that you are dealing with the real thing and not a bunch of scammers.

Thank you for making a payment online! We've received yourBill Me Later® payment of $1603.57 and have applied it to your account.

For more details please check attached file

Summary:

Your Bill Me Later Account Number Ending in: 0266

You Paid: $1603.57

Your Payment Date*: 01/20/2014

Your Payment Confirmation Number: 971892583971968191

Don't forget, Bill Me Later is the perfect way to shop when you want more time to pay for the stuff you need. Plus, you can always find great deals and discounts at over 1000 stores. Watch this short, fun video to learn more.

BillMeLater

*NOTE: If your payment date is Saturday, or a holiday, it will take an additional day for the payment to appear on your account. However, you will be credited for the payment as of the payment date.Log in at PayPal.com to make a paymentQuestions:Do not reply to this email. Please send all messages through the email form on our website. We are unable to respond to account inquiries sent in reply to this email. Bill Me Later is located at 9690 Deereco Rd, Suite 110, Timonium, MD 21093 Copyright 2012 Bill Me Later Inc.

Bill Me Later accounts are issued by WebBank, Salt Lake City Utah

PQW688PP1

Attached is an archive file PP_03357442.zip which in turn contains a malicious executable PP_03357442.exe which has a VirusTotal detection rate of just 4/45. Automated analysis tools [1][2] show an attempted connection to jatit.org on
72.9.158.240 (Colo4, US) which appears to be a legitimate (but presumably compromised) site.

We are writing you this email in regards to your PayPal account. In accordance with our
"Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your
identity by completing the attached form. Please print this form and fill in the
requested information. Once you have filled out all the information on the form please
send it to verification@paypal.com along with a personal identification document
(identity card, driving license or international passport) and a proof of address
submitted with our system ( bank account statement or utility bill )

Your case ID for this reason is PP-TEBY66KNZPMU

For your protection, we might limit your account access. We apologize for any
inconvenience this may cause.

Thanks,

PayPal

CONFIDENTIALITY NOTICE: This electronic mail transmission and any attached files contain
information intended for the exclusive use of the individual or entity to whom it is
addressed and may contain information belonging to the sender (PayPal , Inc.) that is
proprietary, privileged, confidential and/or protected from disclosure under applicable
law. If you are not the intended recipient, you are hereby notified that any viewing,
copying, disclosure or distributions of this electronic message are violations of federal
law. Please notify the sender of any unintended recipients and delete the original
message without making any copies. Thank You

PayPal Email ID PP89759

Attached is a file Identity_Form_04182013.zip which in turn contains Identity_Form_04182013.exe which has an icon to make it look like a PDF file.

The detection rate for this at VirusTotal is 9/47, automated analysis tools [1][2][3] shows an attempted connection to signsaheadgalway.com on 78.137.113.21 (UKfastnet Ltd, UK) which is the same server used in this attack, so you can safely assume that the whole server is compromised and I recommend that you block that particular IP.

We are writing you this email in regards to your PayPal account. In accordance with our"Terms and Conditions", article 3.2., we would like to kindly ask you to confirm youridentity by completing the attached form. Please print this form and fill in therequested information. Once you have filled out all the information on the form pleasesend it to verification@paypal.com along with a personal identification document(identity card, driving license or international passport) and a proof of addresssubmitted with our system ( bank account statement or utility bill )

Your case ID for this reason is PP-D503YC19DXP3

For your protection, we might limit your account access. We apologize for anyinconvenience this may cause.

Thanks,

PayPal

CONFIDENTIALITY NOTICE: This electronic mail transmission and any attached files containinformation intended for the exclusive use of the individual or entity to whom it isaddressed and may contain information belonging to the sender (PayPal , Inc.) that isproprietary, privileged, confidential and/or protected from disclosure under applicablelaw. If you are not the intended recipient, you are hereby notified that any viewing,copying, disclosure or distributions of this electronic message are violations of federallaw. Please notify the sender of any unintended recipients and delete the originalmessage without making any copies. Thank You

PayPal Email ID PP51954

Attached is a file Identity_Form_04182013.zip which in turn contains Identity_Form_04182013.exe which as you might guess is malicious. VirusTotal detections are 16/47, and automated analysis [1][2] shows an attempted connection to trc-sd.com which is the same domain seen in this attack.

On your account malicious activity , for 1 hour was filmed around $ 100 , in small amounts In order to avoid blocking the account you need to go in. Authenticate Now

Sincerely, Services for protection

Department

PayPal does not tolerate fraud or illegal activities. Your complaint It was noted in the minutes of PayPal user you reported . If we find that This user has violated our policies , we will investigate and take appropriate action. In this case , you can contact in the future status this complaint.

To ensure that future transactions proceed smoothly, we suggest you visit PayPal site and click the Security Center link located at the top of any page. There you will find tips on how to avoid scammers " Fraud Prevention Tips for Buyers " section.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance , log in to your PayPal account and click the Help link in the upper right corner of any page PayPal.

The link in the email goes through a URL shortening service at [donotclick]url7.org/KRh - one annoying feature with this service is that you have to click through a form to get the link, so it isn't easy to see where you are going to land. In this case it is [donotclick]184.168.56.23/observatories/index.html and then it runs one of the following three scripts:[donotclick]81.143.33.169/garrotting/rumples.js[donotclick]northeastestateagency.co.uk/queues/relaxes.js[donotclick]mineralmizer.webpublishpro,com/peps/dortmund.js

From there, the victim is sent to a hijacked GoDaddy domain at [donotclick]dshapovalov.info/topic/able_disturb_planning.php hosted on 192.81.134.241 (Linode, US) which is the same server used in this attack. There are other hijacked GoDaddy domains on the same domain (listed below in italics).

We are writing you this email in regards to your PayPal account. In accordance with our "Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your identity by completing the attached form.

Please print this form and fill in the requested information. Once you have filled out all the information on the form please send it to verification@paypal.com along with a personal identification document (identity card, driving license or international passport) and a proof of address submitted with our system ( bank account statement or utility bill ).
For more details please see on the page View all details

Your case ID for this reason is PP-U3PR33YIL8AV

For your protection, we might limit your account access. We apologize for any inconvenience this may cause.

Thanks,

PayPal

CONFIDENTIALITY NOTICE:

This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (PayPal , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies. Thank You

PayPal Email ID PP53161

The link in the email goes to a legitimate hacked site and then loads one of these three scripts:[donotclick]ftp.casacalderoni.com/liquids/pythias.js[donotclick]tuviking.com/trillionth/began.js[donotclick]walegion.comcastbiz.net/wotan/reuses.js

These scripts then try to deliver the victim to a malicious payload at [donotclick]londonleatheronline.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 173.246.104.184 (Gandi, US) which is the same server as used in this attack, along with a number of other hijacked domains which are listed in italics below.

Issues with this transaction?You have 45 days from the date of the transaction to open a dispute in the Resolution Center.

Questions? Go to the Help Center at: www.paypal.com/help.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.

To receive email notifications in plain text instead of HTML, log in to your PayPal account, go to your Profile, and click Notifications.

PayPal Email ID PP387

The link in the email goes through a hacked Wordpress site to a malicious landing page at [donotclick]dialupwily.org/closest/incomming_message.php (report here) hosted on 188.225.34.36 (Transit Telecom, Russia). More malware domains to come..

Issues with this transaction?
You have 45 days from the date of the purchase to issue a dispute in the Resolution Center.

Please DO NOT reply to this message. auto-notification system can't accept incoming mail. For fast answers to your subjects, visit our Help Center by clicking "Help" located on any PayPal page.

PayPal Email ID P8695

The malicious payload is at [donotclick]ibertomoralles.com/detects/slowly_apply.php hosted on 59.57.247.185 (Xiamen JinLongLvXingChe, China). The following malicious domains also appear to be hosted on the same server:

Monday, 6 August 2012

Welcome
Hello [victim],
Thanks for paying with PayPal.
We congratulate you with your first Paypal money transfer. But we have hold it for the moment because the amount is over the security borders of our rules.

Here is what we have on file for you. Take a second to confirm we have your correct information.
Email
[reciptient]@victimdomain.com

Help Center | Security Center
Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.
Copyright 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.
PayPal Email ID PP9335

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

The malicious payload is on [donotclick]spb-koalitia.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following (familiar looking IPs):

Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.

Questions? Go to the Help Center at: www.paypal.com/help.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.

Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.

Questions? Go to the Help Center at: www.paypal.com/help.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.

The malicious payload is at [donotclick]kidwingz.net/main.php?page=614411383eef8d9 (report here) which is hosted at 68.71.222.8 (Disney Online, Florida) which is the same IP address used in this similar attack and is therefore definitely worth blocking.

Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.

Questions? Go to the Help Center at: www.paypal.com/help.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.

Hello xxxxxxxxxxxxxxx,
You sent a payment of $754.48 USD to Quentin Cotton
Thanks for using PayPal. To see all the transaction details, Log In to your PayPal account.
It may take a few moments for this transaction to appear in your account.
________________________________________

Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.

Questions? Go to the Help Center at: www.paypal.com/help.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.

The malicious payload is at [donotclick]itscholarshipz.net/main.php?page=888c5b8a2e6174bc hosted on 68.71.222.8 (Disney Online, US) (report here). "Disney Online" appears to be some sort of ISP in Florida.

These other two domains are also hosted on that server and are probably worth avoiding:defencesupernow.com
homeofficecaptioning.ru

Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.

Questions? Go to the Help Center at: www.paypal.com/help.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.

The link in the email goes to a malicious payload at [donotclick]adnroidsoft.net/main.php?page=017f3bb5c2be6a41 (report here) hosted on 120.197.89.124 (China Mobile Communications Corporation). Unless you do business with China, you might want to consider blocking 120.192.0.0/11 to be on the safe side.

Other sites on the same IP which may also be malicious are:bestcompdefence.netlifelovework.net

You just sent a payment
Transaction ID: 2SM69324P0770102B
Hello xxxxxxxxxxxxxx,
Thanks for using PayPal. It may take a few moments for this transaction to appear in your account.
Merchant
Enrique Peterson
wcEnrique22@hotmail.com
Note to Thad Peterson
You haven't sent a note.
Shipping address - confirmed
Michael Pepe
P.O. Box 173
Cheektowaga, NY�14225
United States
Total $140.00 USD
Payment $60.00 USD
Payment sent to Enrique Peterson

Help Centre | Resolution Centre | Security Centre

This email was sent by an automated system, so if you reply, nobody will see it. To get in touch with us, log in to your account and click "Contact Us" at the bottom of any page.
Copyright � 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.

PayPal Email ID PP1526

The malicious payload is on 72.46.140.14/showthread.php?t=9d77a9163cda8dbe (report here) and is hosted by Versaweb in the US, suballocated to "Silver Knight Enterprises Corp" of Las Vegas.

You just sent a payment
Transaction ID: 2SM69324P0770102B
Hello xxxxxxxxxxxxxxx,
Thanks for using PayPal. It may take a few moments for this transaction to appear in your account.
Merchant
Jame Peterson
wcJame22@hotmail.com
Note to Thad Peterson
You haven't sent a note.
Shipping address - confirmed
Michael Pepe
P.O. Box 173
Cheektowaga, NY�14225
United States
Total $100.00 USD
Payment $60.00 USD
Payment sent to Jame Peterson

Help Centre | Resolution Centre | Security Centre

This email was sent by an automated system, so if you reply, nobody will see it. To get in touch with us, log in to your account and click "Contact Us" at the bottom of any page.
Copyright � 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.

Monday, 1 June 2009

Part of an ongoing domain name scam, flyappraisals.com is a fake domain name appraisal used in conjunction with a bogus unsolicited offer to buy a domain, similar to the following:

We are interested to buy your domain name [redacted] and offer to buy it from you for 65% of the appraised market value.

As of now we accept appraisals from either one of the following leading appraisal companies:

sedo.comflyappraisals.comaccuratedomains.com

If you already have an appraisal please forward it to us.

As soon as we have received your appraisal we will send you our payment (we use Paypal for amounts less than $2,000 and escrow.com for amounts above $2,000) as well as further instructions on how to complete the transfer of the domain name.

We appreciate your business,

Out of these three "appraisal" companies, flyappraisals.com is the cheapest. So, naturally a lot of people will part with some money for an appraisal. Of course, the offer to buy the domain name never comes through and the domain name owner is out of pocket.

It looks like this scam is being run out of Canada, and we have covered it many times before: here, here, here and here. If you live in Canada and have been ripped off, then reporting it to the RCMP may get some results. You should also raise a dispute with PayPal to get a refund.

This particular site has a jolly bit of flash on it, unlike the plain HTML of the old sites. It is hosted on 124.217.231.209 in Malaysia.

Hello,
I came across your domain name [REDACTED]COM and I would be interested in buying it from you.
Here is my offer, you have to send me a professional appraisal from one of the following companies. and I will pay you 85% of the appraised price.
For payments under $2000 I prefer to use paypal. And for larger amounts of money I prefer if we used escrow.com

I accept appraisals from any of these companies:

-sedo.com
-pedma.com
-accuratedomains.com

If you already have an appraisal from one of those companies please forward it to me, and we will do business.

Well, my spidey sense started to tingle. The domain in question is not great and I'm really holding it for a future project that I haven't gotten around to. So I have certainly never had it professionally appraised.

So, let's say that I'm interesting in selling this domain and want to get a professional appraisal. Sedo charge $29, Accurate Domains charge $27 and Pedma charges $22.95. What's more, Pedma promises to refund your appraisal money or buy the domain itself if you don't sell it within 6 months.

Pedma looks like the best option. But who are they exactly?

Here's the thing - there is almost nothing about them in Google. It looks like they have been in the domain appraisal business for hardly any time at all. So isn't it odd that they are being recommended?

About the same time, the IP address of pedma.com changed from 208.69.122.200 to 174.132.194.58. Now, the 208.x.x.x address was mentioned a few days ago on another blog for questionable domain practices, so you might suggest that this is not a coincidence.

The site itself seems to be free of malware, so poking around at the pedma.com site reveals a few other interesting things.

Click through to the Contact page:

The following contact details are listed:

20 Crawford Street
London
W1H 1PJ
United Kingdom

Email: support@pedma.com

It looks like this may be an accommodation address or perhaps a virtual office of some sort, probably located above a shop [sorry, IE required]. Definitely not Canada. (Update: it looks like a branch of Mail Boxes Etc thanks to Google's new UK streetview.)

Clicking through on the "Buy Now" link takes you to a PayPal page, also mentioning Canada:

The payee is "Unique Desktop". Whoever they are. This is one of the weakness of PayPal - I don't really have an idea who I am dealing with here. I don't advise that you pay them anything, indeed there is no part of the payment process that actually specified what domain you want appraising or your contact details.

A further clue that something is wrong comes from their "Service" page which contains the following text:

How much is your domain really worth? An expert evaluation of a domain name's value is critical intelligence for domain buyers and sellers looking to determine a fair market price. An appraisal is your first step to making a great sale!

Every appraisal individually researched by domain industry pros, because no software is a substitute for real-world experience.

Your domain name could be worth thousands of dollars and may even be tax deductible!

Join many others who discovered what their domains were worth using our Domain Name Appraisal Service! Your domain will be appraised based on a number of separate factors including marketability, brand recognition, unique type in traffic, and comparison with other domain name sales. In addition to the following criteria:

After you make your first purchase we will email you your Pedma Account log in information. Once you are logged in, you will find all your domain appraisals neatly organized (including appraisal reports, and appraisal banners). We make it easy to keep track of all your appraisals!

In fact, the majority of this text is stolen directly from Sedo and Moniker - it's a straight copy-and-paste job.

So: this "appraisal" site appears to have been active for just a few days, the site content is stolen from others, the contact details on the page do not match the WHOIS, the payment process does not allow you to specify the domain to appraise and your contact details, and the IPs have recently been connected to another dubious domain name pitch.

It looks on the surface as if this is an attempt to get people to sign up for this so-called appraisal service, and nothing more. Pedma.com is certainly not a recognised or trustworthy site, so it is likely that the offer to buy the domain is similarly dubious. Of course, if you work for Pedma.com, please feel free to correct any errors in the comments section below.

If you have spent any money on the appraisal, then I would advise you to start a PayPal dispute to recover the money as there is some evidence to suggest that the original offer is not genuine.

Additional information:
a bit more research shows indicates the domain pedma.com was sold via eBay item #170253846100 in August 2008 to a member called unique*money, presumably this is Manuel Fichter.

Now, it might be that Mr Fichter sold the domain on and perhaps it is a coincidence that the new owner lives in the same area and has used exactly the same telephone number. Note that the seller "bargaindomains" is a reputable eBay seller who just sold the domain on in August.

About the London address: there is no company by the name of "Pedma" operating in the UK, according to Companies House.

The PayPal billing name of "Unique Desktop" is connected with the domain "fastbooster.com". The terse WHOIS details for that mention an email address of willyfichter@googlemail.com, but earlier last year it had a rather more full domain description:

It is hard to be 100% certain who is sending out these "offers". But at a guess, one of these Mr Fichters might have an idea.

Update:
pedma.com has been suspended by HostGator. Yeay.

Another update (18/3):
The owner of pedma.com is now desperately trying to punt the domain name on Sedo for $1000, which is a bit rich considering that he ripped off Sedo's text for the fake appraisal site!